ESAs and UK Regulators Sign Memorandum of Understanding on Cross Border Oversight of Critical ICT Providers under DORA

The European Supervisory Authorities (ESAs) and the UK’s Bank of England, Prudential Regulation Authority and Financial Conduct Authority (together, the UK Regulators) have signed a Memorandum of Understanding (MoU) to coordinate the cross‑border oversight of critical information communication and technology (ICT) third‑party service providers (under the EU regime, CTPPs, and under the UK regime, CTPs) serving EU and UK financial entities. 

The MoU aims to strengthen operational resilience by enabling structured cooperation, timely information exchange and coordinated oversight actions across jurisdictions. 

Background

The MoU implements the EU Digital Operational Resilience Act (DORA)’s international cooperation framework, reflecting provisions in Articles 36, 44 and 49 that empower the ESAs to conduct oversight, conclude cooperation arrangements with third‑country authorities and coordinate systemic cyber incident responses. 

Under DORA, each designated CTPP is overseen by a lead overseer among the ESAs, with powers that include information requests, investigations and on‑site inspections. In parallel, the UK’s CTP regime under the Financial Services and Markets Act 2023 enables HM Treasury (HMT) to designate critical third parties and confers oversight functions on the UK Regulators. Both regimes recognise the systemic importance of ICT providers and the need to mitigate cross‑border third‑party risk through supervisory cooperation. 

MoU scope, objectives and key concepts

The MoU is a non‑binding statement of intent. It may be amended by consent of the ESAs and UK Regulators, or terminated on 30 days’ notice, with confidentiality surviving. It becomes effective upon signature by all authorities.

The MoU sets principles and procedures for cooperation and information sharing between the ESAs and UK Regulators in relation to CTPPs and CTPs, including entities with premises in the other jurisdiction that support local financial firms. It applies to both mutually designated providers and those designated in only one jurisdiction, with a concept of “Mutually Designated CTP/CTPP” used to prioritise deeper coordination. The authorities commit to timely, material information exchange, interpretative assistance and engagement support in cases of non‑cooperation, all subject to legal constraints. 

Information exchange mechanics and security

Information will be exchanged primarily via “Secure Electronic Means”, including the ESAs’ dedicated oversight collaboration tool, with fallbacks such as encrypted email and urgent oral-to-written channels. Shared materials follow the “Traffic Light Protocol” (TLP) to calibrate sensitivity and onward sharing, complementing each authority’s internal security classifications. The MoU also enumerates “onward sharing authorities” (e.g., EU competent authorities, the ESAs, the European Systemic Risk Board, UK Regulators), with conditions and notice duties to preserve secrecy and proportionality. 

Coordinated on‑site inspections

Where DORA oversight objectives cannot be met through EU subsidiaries or domestic measures, the ESAs may conduct on‑site inspections at UK premises tied to services for EU CTPPs, subject to necessity, direct relatedness, provider consent and UK non‑objection. The ESAs must notify the UK Regulators in advance (typically three to six weeks) with details on scope, basis and timing, and the UK will endeavour to cooperate and respond within 15 business days for mutually designated providers. Reciprocal procedures apply when UK authorities seek access to EU premises, with the ESAs assisting and facilitating contact with relevant EU authorities where appropriate. 

Incident response and enforcement coordination

The MoU supports prompt alerts and coordinated responses to emergency situations, including major ICT incidents with systemic impact or CTP operational incidents under the UK Regulators’ rules. The MoU also encourages joint oversight activities such as observing incident management playbook exercises of CTPs (which are part of the UK Regulators’ approach to oversight). It establishes notification pathways where one side detects non‑compliance or imposes measures, including advance notice of equivalent UK actions like suspensions or terminations of contractual arrangements. 

Confidentiality and data protection 

Information exchanged is treated as confidential by default and used only for oversight functions, with strict secrecy obligations, consent‑based onward disclosure and protections against waiver of privilege. The ESAs confirmed the equivalence of the UK’s confidentiality and professional secrecy regime to the EU framework. 

The MoU is available here.